D.A.A.A (Claimant) v. Hospital Recoletas Ponferrada, S.L.

€16,000 in fines


The Spanish DPA fined a hospital for obtaining consent through pre-ticked boxes for commercial communication and data processing and failure to timely provide a copy of the form. 

Our analysis

The hospital, acting as the controller of the data subject's personal information, utilized a deceptive pattern by preselecting two consent boxes in the privacy notice without the data subject's knowledge or consent. The first box referred to commercial communications, and the second one referred to the consent to disclose personal data regarding the data subject's stay at the hospital and room number with third parties upon request. The hospital claimed that the pre-ticked box was a human error and that the clause about communication of patients' personal data to third parties did not apply to the data subject. However, the DPA found that the hospital violated Articles 6(1) and 15 in connection with Article 12 GDPR by unlawfully processing data for third-party sharing and commercial purposes and failing to process the data subject's access request in a timely manner. The DPA further observed that the use of pre-ticked boxes rendered consent invalid, resulting in a lack of legal basis under Article 6(1) GDPR. The hospital's action violated Article 7 GDPR and Recital 32 GDPR, which require that the consent request meet specific requirements.


The DPA had initially imposed a fine of €10,000 each for the violation of Articles 6(1) and 15 in connection with Article 12 GDPR. However, the final fine amount was reduced to €16,000 as the controller benefited from two reductions. One reduction was granted for accepting guilt, and the other was given for voluntarily paying the fine.


D.A.A.A (Claimant) and Hospital Recoletas Ponferrada, S.L.

Case number


Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us